22 lines
1.3 KiB
Text
22 lines
1.3 KiB
Text
PortSentry is designed to detect and respond to port scans against a
|
|
target host in real-time. Some of the more useful features include:
|
|
|
|
+ Runs on TCP and UDP sockets to detect port scans against your
|
|
system. PortSentry is configurable to run on multiple sockets at the
|
|
same time so you only need to start one copy to cover dozens of
|
|
tripwired services.
|
|
+ PortSentry will react to a port scan attempt by blocking the host in
|
|
real-time. This is done through configured options of either dropping
|
|
the local route back to the attacker, using the Linux ipfwadm/ipchains
|
|
command, *BSD ipfw command, and/or dropping the attacker host IP into
|
|
a TCP Wrappers hosts.deny file automatically.
|
|
+ PortSentry has an internal state engine to remember hosts that
|
|
connected previously. This allows the setting of a trigger value to
|
|
prevent false alarms and detect "random" port probing.
|
|
+ PortSentry will report all violations to the local or remote syslog
|
|
daemons indicating the system name, time of attack, attacking host IP
|
|
and the TCP or UDP port a connection attempt was made to. When used
|
|
in conjunction with Logcheck it will provide an alert to
|
|
administrators through e-mail.
|
|
+ Once a scan is detected your system will turn into a blackhole and
|
|
disappear from the attacker. This feature stops most attacks cold.
|